How to prepare your organization for the FTC Safeguards Rule deadline
After widespread data breaches and cyberattacks targeting customer information, the Federal Trade Commission (FTC) saw fit to update the Safeguards Rule in 2021.
The rule originally applied to what would traditionally be considered financial institutions — namely banks and credit unions. Now that designation has expanded to include businesses that the FTC deems nonbanking financial institutions.
A nonbanking financial institution is any business that has access to personal information in the financial transaction supply chain. This includes businesses such as wealth and asset managers, lenders and even dealerships due to their finance departments.
The updated rule was originally supposed to go into effect on December 9, 2022. But, with many businesses still struggling to comply, the FTC extended the compliance date by six months.
Here’s what you need to know to help your organization meet the new June 9, 2023, compliance deadline:
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a set of shared guidelines to ensure that every business that handles personal information meets a certain standard of security. It helps businesses fulfil the responsibility they have for keeping customer information safe.
On a basic level, the Safeguards Rule requires companies to implement an information security program overseen by an information security officer (ISO). However, that involves several different controls that companies will have to instate to be compliant.
Here is a brief overview of the requirements:
Administrative controls
You must:
- Document a written information security program.
- Designate a qualified individual to act as the ISO responsible for oversight.
- Perform annual risk assessments.
- Develop, implement and manage data backup, retention and destruction procedures.
- Provide employees with awareness training.
- Oversee service providers and conduct vendor management.
- Develop a written incident response plan.
- Ensure regular reporting from the ISO and annual updates to the board
Technical controls
You must:
- Implement and test access and authentication.
- Implement multifactor authentication for any individual with network access.
- Encrypt customer data in transit and at rest.
- Conduct continuous securing monitoring or regular penetration testing.
- Protect access to network and paper documents.
You can find the full list of safeguards here.
4 steps to help ensure your compliance
Newly deemed nonbanking financial institutions may struggle with compliance given the comprehensive nature of the requirements. Many organizations don’t yet have the infrastructure in place to implement all the controls.
If you’re uncertain of where your organization stands, here are four practical tips:
1. Implement your information security program
The key to a compliant information security program is that it needs to be both formalized and put into practice.
Some businesses already have technical controls in place, but they haven’t created a formal plan. For other businesses, the opposite is true — they have a set of policies, but they haven’t put them into practice.
In both cases, your solution is to appoint an ISO. You need someone with experience to oversee your plan and make sure it suits the unique needs of your organization.
If you don’t have someone appointed already, consider outsourcing it and other important positions, such as the chief information officer.
2. Complete user training and awareness
Training your team to identify and avoid potential security threats is a crucial part of your security plan. Employees can either prevent an attack or enable one based on their actions.
An easy option to facilitate this training is through online courses, such as KnowBe4. These courses minimize disruption by providing flexibility for when employees can complete the training.
Regardless of the method, the goal is to provide your employees with the knowledge they need to help keep information safe.
3. Engage in continuous monitoring
The FTC Safeguards Rule provides two different methods for testing the efficacy of your controls: regular testing or continuous monitoring.
With regular testing, you’ll need to perform biannual vulnerability tests and annual penetration tests.
With continuous monitoring, the system watches for any anomalous behavior that could indicate an attack. For example, if a login from a foreign country at an unusual time occurs, that behavior would be tagged for further investigation.
Your business will need to choose the option that best suits its needs. However, to maximize the benefit of this control, consider engaging both.
Continuous monitoring will ensure that any potential threats are quickly identified and isolated during your day-to-day operations. Regular testing will provide additional support and ensure that there aren’t any vulnerabilities in your continuous monitoring systems.
Paired together, the two provide your organization with a strong defense against any attacks.
4. Enable cloud services security
More businesses are turning to cloud-based services to improve productivity and facilitate remote work. As part of the FTC Safeguards Rule, you’ll need to apply security controls and governance over your cloud services as well.
Most cloud services provide customers with advanced security controls, such as multifactor authentication. However, these controls are not turned on automatically. Customers need to intentionally enable them.
If you’re using a cloud service, make sure to check that you’re using all the security controls available to you.
How Wipfli can help
Your organization has a responsibility to keep your customers’ information safe. But are you doing enough? Wipfli is here to assist you with any aspect of the FTC Safeguards Rule.
Our team can help you ensure that you are compliant and that your data security can be trusted. Contact us to today to help your organization stay secure.
Sign up to receive more information in your inbox, or continue reading:
